Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Unified2 extra data

From: Peter Bates <peter.bates () ucl ac uk>
Date: Thu, 3 Jan 2013 13:58:35 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello there and a Happy New Year to all...

I'm a bit late in reading Joel's blog post:
http://vrt-blog.snort.org/2012/12/exploit-kit-java-user-agent-downloading.html

In particular, I'm interested in the last paragraph:
"Now, even if you don't have a Sourcefire device you can still dump out the "extra data" fields from your unified2 logs 
and see exactly which url's prompted these downloads like I show above."

Reading http://manual.snort.org/node255.html
it implies

config log_uri
config log_hostname

are useful options to add to snort.conf.

Do these extend the u2 format, or just fill in existing fields?

Is this extra information then understood by the likes of Barnyard2
and added to a database, or only viewable with u2spewfoo?

Thanks.

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division         Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQEcBAEBAgAGBQJQ5Y6LAAoJELhVoVpEMS6RpR4H/j7/BOEJGK4RvrU+7FFLHr9D
SHERKXusu/XbrvwId3onOQ+XsEZZS7S5aGeAK8ZDytzNhI69Pz6HN2ppOUDnClOT
l+D3Qrq5/W/gY54K9GbbN6yjdw9/CwWiOLneMatuTC+ar8Bj2l7z6yzoqLJLZT2f
wn58criKRbRgCJLB1cPevjVIUqC2OBdOJtfsdIXbLnjPwOuGWwGNYjNRMjozSSfm
NJQ/XYdVlYliDyCTyDnYzvc1/Q80T42LBIntvC80SYbKE3JFstGtWKHIN8wwm0KH
mcYr9OY5LDU25gl/T/sdE16DFy8P7r5Py1TIwVC0m7dbOusXuaqABQemd+WVJoQ=
=hLiq
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: